Blog article
See all stories ยป

An article relating to this blog post on Finextra:

Cambridge scientists blast 3-D Secure system

The 3-D Secure protocol adopted by banks and card schemes under the Verified by Visa and MasterCard SecureCode banners has been branded by Cambridge University academics as "a textbook example of how...


See article

3-D Insecure -possible heresy

 

It's interesting both that there have been no comments so far about this story and that there are quite a number of other blogs where the value of 3-D secure has been questioned. This seems to be an example of the Emperor's new clothes where everyone knows he is naked but won't admit it.

My experience of 3-D secure tends to support the Cambridge findings that there are inherent weaknesses. Each Bank tends to implement it differently and it isn't an integrated solution in that I am often called to verify transactions I have undertaken using it. What point a validation at purchase if the strength of verification isn't passed on to the paying Bank?

The problem I think is not just technical but much deeper rooted. Sure it is possible to devise a better technical solution and one is certainly needed. The problem however is more fundamental and is one of Governance.

In the past Visa and MasterCard were both wholly Bank owned and Banks which were issuers were often acquirers too. Now we have a total mix of issuers and acquirers and Visa & MasterCard are no longer wholly Bank owned. Who then are they working for? Their shareholder or their members? There seems to me to be a duopoly (members & shareholders) of interests which is in no one's interest. I may be wrong but it may not be long before the issuers and acquirers decide that their interests are better served by setting up a new payment system.

Ultimately it's an issue of standards. If someone can come up with an open but secure payments protocol with the ability to route transactions to the issuer for authorisation then why do we need an expensive middle layer called Visa & MasterCard?

There are already other options to V&MC. China Union Pay is already a major card system quite independent of the duopoly (of V&MC). Despite appearing unassailable I doubt whether in ten year time the payment landscape will bear any resemblance to what it does now. And maybe it really will offer a simple, secure, consistent and integrated authorisation process.

 

6833

Comments: (12)

A Finextra member
A Finextra member 29 January, 2010, 00:13Be the first to give this comment the thumbs up 0 likes

I'd hazard a guess that we'll have a very simple ubiquitous transaction and verification system. I've only been able to come up with one alternative which might stand the test of time - say a milleniumm let alone a couple of years.

Stephen Wilson
Stephen Wilson - Lockstep Group - Sydney 29 January, 2010, 01:48Be the first to give this comment the thumbs up 0 likes

"Stand the test of time"?  First Dean's solution needs to stand the test of public scrutiny.

Stephen Wilson
Stephen Wilson - Lockstep Group - Sydney 29 January, 2010, 01:59Be the first to give this comment the thumbs up 0 likes

Michael makes some really good points about the duopoly and the motivations for the credit card companies to act.  The standardisation dynamic has shifted with de-mutualisation.

I agree that the problem is not just technical.  But it has to be said that the technical aspects of the CNP fraud problem are not so great that they necessitate a wholesale change in online payments with regards the user's experience, the architecture, the four party model, and merchant liability. 

To my mind, the four party model is still perfectly fine.  The technical problem lies at one precise point in the process: merchants are vulnerable to replayed cardholder details, because today they cannot tell stolen ones and zeros from the real thing.  That problem can be solved directly and robustly by asymmetric cryptography (applying the same techniques at the web browser as what are applied at EMV terminals; the cryptographic building blocks are all standard now).

 

A Finextra member
A Finextra member 29 January, 2010, 12:14Be the first to give this comment the thumbs up 0 likes

If we are talking about party models of the least interesting kind - I'd put forward that the five party model will be most efficient and secure, and after all there are five parties to the transaction - or there should be.

The merchant and their bank, the customer and their bank and the communicator of the transaction.

It isn't possible to leave anyone out. Anyone volunteer to be not part of a transaction in their name or on their account or where their goods are walking out the door?

The fifth party is the facilitator.

Of the first four participants - the merchant has the most to make, the most to lose and the most power in the equation.

Presently we see a smaller number of merchant brands compared to years ago. These merchant brands have all the power.

That is why the five-party system will prevail and will probably be 'owned' by the merchants - rather than the banks. All it will take is for them to realise it.

With their own 'fifth party' they can reduce their costs and losses and improve the experience for the customer - the second most powerful party in the process.

Time will tell.

A Finextra member
A Finextra member 04 February, 2010, 00:24Be the first to give this comment the thumbs up 0 likes

Whilst government has an interest - private enterprise will provide the solution and to be blunt - those who cannot afford a mobile are both unlikely to represent profitable customers nor are they likely to pursue international travel - except on a leaky boat to OZ or Italy etc.

Governments will become aware of the massive cost saving in providing their citizens who can't afford one - with a mobile phone (and some are aware already). For perhaps their 'visitors' too?

I could just as easily and irrelevantly put forward some question as to what percentage have a bank account or a card or a reader or an eftpos network or even an income.

Clearly it is cheasper to provide the end user with a mobile than a government ID card, drivers license, passport, credit card, bank card, market-sellers permit etc, etc and all the required infrastructure of each. Something someone with an eye on the big picture would be acutely aware of.

A centralised process reduces the opportunity for corruption and waste, something which is endemic in the areas you suggest are short on mobiles and catastrophic in those countries surviving on aid.

The big view and the long view.

There have been one or two successful revolutions and perhaps we may see more and I suppose it depends on your idea of how fast a revolution is.

The world turns and you have no sensation of moving at thousands of miles per hour - and if some teacher or scientist had not told you, you would still be unaware! Does the moment you wake up to it constitute the revolution  - or was it going on the whole time? Cheers.

Stephen Wilson
Stephen Wilson - Lockstep Group - Sydney 04 February, 2010, 01:59Be the first to give this comment the thumbs up 0 likes

Dean said:

Those who cannot afford a mobile are both unlikely to represent profitable customers ...

But you're proposing to make mobile phone ownership compulsory to participate in your digital ID scheme.  I know plenty of "profitable customers" in middle Australia who don't have a mobile, or who only use their phone -- wait for it, wait for it -- to make calls. They would object strenuously to being forced by a bank let alone a government into such a scheme.

Clearly it is cheasper to provide the end user with a mobile than a government ID card, drivers license, passport, credit card, bank card, market-sellers permit etc, etc and all the required infrastructure of each. Something someone with an eye on the big picture would be acutely aware of.

This is nonsense. 

I'm assuming from your past writings that the idea is to carry multiple virtual credentials on the phone.  Nothing wrong with that per se (so long as the phone isn't the only medium available).  But by far the greatest proportion of the expense of issuing credentials (licences, passports, bank cards) is the business process of establishing the person's bona fides.  So the medium on which you then carry the credential is a tiny part of the issuing cost.  Likewise, the great majority of the infrastructure cost associated with processing electronic credentials in action is related to backend systems at the respective service providers; these are constant whether the credential is carried on a phone or a card. Buying someone a phone will be significantly more expensive than issuing them plastic cards, even smartcards, even one smartcard for every credential.

Stephen Wilson, Lockstep.

A Finextra member
A Finextra member 04 February, 2010, 02:49Be the first to give this comment the thumbs up 0 likes

Stephen, you pen -

*I know plenty of "profitable customers" in middle Australia who don't have a mobile, or who only use their phone -- wait for it, wait for it -- to make calls. They would object strenuously to being forced by a bank let alone a government into such a scheme.*

Do they outnumber those who would object strenuously to carrying an ID card?

Would those without a phone object strenuously to a free one?

Do you object to government waste? How much did you pay for your e-passport? How much did it cost to produce, your license, etc etc. If you knew the answers to these and were not focussed on offloading cards then you wouldn't ask the questions. The US claims were that the e-passport would cost over $10 to produce and sell for $97. Given the optimism of the security claims I question what it actually costs per passport.

Do they object to having to carry multiple devices/documents?

To make a card work you need a reader - who are to have them/pay for them (and the power/reader to make use of them) and the infrastructure to connect them?

I know of no-one who doesn't want it to be easier to interact with government agencies and the old adage is that 'you can't please all of the people all of the time'.

That also describes democracy - another thing which could be empowered/secured by mobile voting and few would object to that. I am a little over a pencil mark on a bit of paper securing my vote (in OZ we mark a box on paper ballot with a pencil -DOH!) Even our Prime Minister admits it would only take 2 or 3 people in a hundred to change their vote (or a few seconds with a rubber) to unseat him at the next election. Stephen would have us carry yet another card - our 'voter registration card'? Spare me (especially from attending the ballot box).

Stephen - as for your first and last paragraphs. Assumptions are just that - and often misguided.

Stephen Wilson
Stephen Wilson - Lockstep Group - Sydney 04 February, 2010, 03:28Be the first to give this comment the thumbs up 0 likes

I said "I know plenty of profitable customers [who] would object strenuously to being forced by a bank let alone a government into such a scheme".  Dean responded

Do they outnumber those who would object strenuously to carrying an ID card?

Yes, they do outnumber ID card opponents.  Lot's of older people don't embrace any cell phone function beyond making calls. And that includes SMS.

 

To make a card work you need a reader - who are to have them/pay for them (and the power/reader to make use of them) and the infrastructure to connect them?

Two responses.  First, it's not so black and white. A good thing about cards is that they are human readable as well as machine readable.  Cards come with well understood, well socialised security mechanisms like optically variable printing, holograms, photos etc. that make them useful in human-mediated transactions even when the infrastructure is down, or a reader is unavailable.  You cannot replicate these human-readable features on the display of a phone, because the image is synthetic, it has no inherent copy protection.  So credentials carried on your phone are really only machine readable if we're ttalking about security. 

In short, smartcards issued today are useful even without personal readers.  We can issue now and wait a while longer for readers.

Second, regarding readers, my money is on ISO-7816 standard smartcards becoming so widespread that we will see readers built into laptops.  Yes, I know this has been a long time coming.  Ever since 2003 pundits including me have claimed that integrated readers are coming.  But remember that it's common to overestimate what will happen in one year but underestimate what will hapen in ten.  So, in 2013, consider that there will way over a billion EMV cards worldwide, a billion odd smart ID cards, and 100s of millions of health smartcards. 

Built-in smartcard readers are not uncommon today. My three year old HP 6910 has one.  Even better, Dell has laptops (e.g. e6500) with both contact and contactless card readers built in.  So Dell too is betting on a new wave of applications for their customers' smartcards (probably their FIPS 201 PIV cards in particular; I think the e6500 is US-focused).

Oh, another thing.  Smartcards get a bad rap for requiring readers, but it's not like a mobile phone interfaces to any given terminal automatically.  You either connect over the mobile operator's network (and pay and pay and pay) or you use one of those cute extra channels, like NFC, or bar codes.  These interface standards require their own terminal hardware too, they aren't ubiquitous, and they're a lot less mature than ISO 7816 or 14443.

 

... another thing which could be empowered/secured by mobile voting and few would object to that. ... Stephen would have us carry yet another card - our 'voter registration card'? Spare me (especially from attending the ballot box).

Not necessarily a new card.  I do advocate using chips in one form or another to protect anonymous ballots.  In fact I presented a peer reviewed academic paper on this very topic at the AusCERT conference in 2008.

Having claimed that you can secure online voting, perhaps Dean the time has come for you to explain how it works?  If you claim it's more tamper resistant and more confidential than marking a ballot paper, then let's see how.  For me, any mention of mobile phone plus voting implies centralised authentication , so you have an architectural privacy challenge up front.

 

Stephen - as for your first and last paragraphs. Assumptions are just that - and often misguided

Well I'm sorry but all we have to go on is several years of your ambit claims.  So yes, I made assumptions.  If you refuse to tell us how it works, but persist in claiming it will revolutionise banking, government, healthcare, voting, and even how your mum greets the plumber at the door, then "misguded" does describe the state that all of us is in.

A Finextra member
A Finextra member 04 February, 2010, 05:11Be the first to give this comment the thumbs up 0 likes

Re: public disclosure (premature perhaps?) See Marite's story on finextra.

Loose lips sink ships.

I'd encourage others to explore the possibilities but to be honest I'd prefer to only have a house of cards as competition. Disclosure has a price, only I intend not to be the one paying it. Discipline. Patience...

 

A Finextra member
A Finextra member 04 February, 2010, 08:13Be the first to give this comment the thumbs up 0 likes

I actually commented on this subjected in September of 2008 here in FINEXTRA. It was under the title of "Mandatory Verified by Visa and UCAF/SPA".

"This seems to be an example of the Emperor's new clothes where everyone knows he is naked but won't admit it."  

Funny, I mentioned the same analogy way back in 2003.  And the emperor knows that he isn't wearing any clothes and does not care one bit because he is the emperor. Although it does offend some of us.

A slight improvement is being offered by some banks. They send one-time passcodes to their cardholders which they in turn use to authenticate themselves with verified by visa. Bravo...  But it's still not the answer. What prevents someone from publishing their own website to sell you $100 plasma TVs and popping a verified-by-visa stub to get not only your card details but also these one-time passcodes? Nada...

Stephen Wilson
Stephen Wilson - Lockstep Group - Sydney 05 February, 2010, 07:20Be the first to give this comment the thumbs up 0 likes

Dean thinks that smartcard readers are still the smartcard's Achilles heel:

To make a card work you need a reader - who are to have them/pay for them?

I swear I am not making this up.  I happened to chat today with a girl who has just received her new government-sponsored school laptop.  It was a Dell (e4300 I think).  And it has an integrated smartcard reader. 

Very cool.

A Finextra member
A Finextra member 05 February, 2010, 10:32Be the first to give this comment the thumbs up 0 likes

I bet she already had a mobile.

Cheers